*** title: Roles & Permissions description: How user roles and permissions work in ESO, and how to customise access for individual users. --------------------- For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.esoapp.co.uk/guides/settings/llms.txt. For full documentation content, see https://docs.esoapp.co.uk/guides/settings/llms-full.txt. ESO uses a role-based access control system. Every member of your organisation is assigned a **role**, and each role comes with a predefined set of **permissions**. Administrators can further fine-tune access with **per-user overrides** and **access scopes**. ## Built-in roles ### `org:admin` Full access to everything in the platform. Admins can: * Manage all inventory, packing lists, containers, projects, and clients. * Read and write invoices, quotes, and supplier data. * Manage organisation settings, invite links, and member roles. * Grant and revoke permissions for other users. ### `org:member` Standard operator access. Members can: * Create, view, and update inventory, packing lists, containers, projects, and clients. * Finalise and progress packing lists through the shipping lifecycle. * Read invoices; create and update quotes and suppliers. * **Cannot:** delete inventory, delete packing lists, write invoices, manage organisation settings, or manage permissions. ### `truck_broker` Restricted access for external logistics partners. Truck brokers can only: * View packing lists that have been explicitly assigned to their broker company. They cannot see any other data in the organisation. *** ## Permission reference Permissions are grouped by feature area: | Permission | Key | Description | | -------------------------- | --------------------------------- | ----------------------------------------------- | | View packing lists | `packing_lists.read` | See packing lists and their items. | | Create packing lists | `packing_lists.create` | Create new packing lists. | | Update packing lists | `packing_lists.update` | Edit items while in an editable status. | | Delete packing lists | `packing_lists.delete` | Delete packing lists. | | Finalize / ship / close | `packing_lists.finalize` | Advance through `shipped → delivered → closed`. | | Revert packing list status | `packing_lists.revert` | Step a packing list back one status. | | Delete attachments | `packing_lists.attachment.delete` | Remove files from packing lists. | | View audit history | `packing_lists.audit.read` | See the status-change history log. | | View inventory | `inventory.read` | See inventory items and quantities. | | Create inventory | `inventory.create` | Add new inventory items. | | Update inventory | `inventory.update` | Edit items and adjust quantities. | | Delete inventory | `inventory.delete` | Remove inventory items. | | View inventory audit | `inventory.audit.read` | See historical audit entries for inventory. | | Merge inventory | `inventory.merge` | Merge duplicate inventory records. | | View containers | `containers.read` | See containers and their attachments. | | Create containers | `containers.create` | Add containers and upload files. | | Update containers | `containers.update` | Edit container details. | | View projects | `projects.read` | See projects. | | Create / update projects | `projects.write` | Create and edit projects (includes financials). | | Delete projects | `projects.delete` | Remove projects. | | View clients | `clients.read` | See clients. | | Create clients | `clients.create` | Add new clients. | | Update clients | `clients.update` | Edit client details. | | Delete clients | `clients.delete` | Remove clients. | | View invoices | `invoices.read` | See invoices and payment data. | | Manage invoices | `invoices.write` | Create, edit, and record payments. | | View quotes | `quotes.read` | See quotes. | | Manage quotes | `quotes.write` | Create and update quotes. | | View suppliers | `suppliers.read` | See supplier catalogue. | | Manage suppliers | `suppliers.write` | Create and update suppliers and services. | | View org settings | `settings.org.read` | See organisation configuration. | | Update org settings | `settings.org.update` | Change organisation-level settings. | | View members | `settings.members.read` | See who is in the organisation. | | Invite members | `settings.members.invite` | Generate invitation links. | | Update members | `settings.members.update` | Change member roles. | | Remove members | `settings.members.remove` | Remove users from the organisation. | | View permissions | `settings.permissions.read` | See role and override configuration. | | Manage permissions | `settings.permissions.update` | Modify roles and per-user overrides. | *** ## Per-user permission overrides Administrators can grant or deny individual permissions to specific users independently of their role. For example, you could grant `invoices.write` to a single `org:member` without changing their role. Navigate to **Settings → Permissions** and find the user to add an override. *** ## Access scopes In addition to permissions, users can be restricted to specific **projects**, **clients**, or **locations**. When a scope is configured, the user can only see data that falls within those scoped resources. Access scopes support both `allow` and `deny` effects: * **Allow scopes** — The user can only see the listed resources. * **Deny scopes** — The user can see everything *except* the listed resources. Scopes are also configurable from **Settings → Permissions**.